A community is an object which links your Realms to the Salesforce Community which will host your deployments
During the creation of a community a few related objects are created :
Each community onboarded on CYM-Identity must have two connected apps linked to it.
The link is done through the Connected Apps client_ids (consumer_key)
The connected app is how the different flows from CYM-Identity are able to connected to your Salesforce Community
The connected apps must have the following properties :
- Scopes :
api
, refresh_token
, web
- Users :
Admin approved users
- Profiles & Permission sets : the connected app must have exactly the same profiles & permission sets enabled as the Salesforce Community
- A digital certificate must be uploaded to the connected app (the private key of the certificate must be stored in the community object record)
The two connected apps purpose are :
- cym__RunAs_{CommunityId} : This connected app is used for all RunAs commands issued on the different flows
- cym__Sso_{CommunityId} : This connected app is used for all
session.activate()
and session.resume()
operations which allow you to start a session without the usual username and password flow.
Each community must have it's base domain enabled as a Remote Site Setting.
The Remote Site Setting must have the following :
- name =
cym_community_${community_id}
- url = standard community domain (You can use apex
Network.getCommunityById(${community_id}).siteUrl
to get this value)
The external auth server plays the role of generating access_tokens for flows where the protected resource is hosted by the Salesforce Community (e.g. a realm dynamic client registration)
The External Auth Server must have :
cym.StandardCommunityAuthServerPlugin
as the plugin- The audience must be the Community
issuer
Although hidden on the standard CYM-Identity layout, a community stores the Private Key of the certificate which is uploaded on the connected app.
The private key is encrypted at rest by default.
Attribute | Required | Description |
---|
Name | Yes | The Authenticator Name used internally to reference the authenticator |
Community__c | Yes | The parent community of the authenticator |
Provider__c | Yes | Provider name of the authenticator |
MaxAge__c | Yes | The maximum age in seconds that authentication with this authenticator will be valid for. 0 means that the authentication follows the session setting of the current user. |
Amrs__c | Yes | The list of Authentication Methods that the authenticator uses |
Config__c | No | The configuration data for the authenticator. Note that by default CYM-Identity will encrypt the data in this field. |
By default, CYM-Identity installs the following providers :
Use this authenticator to accept sessions where the user used his username & password
This authenticator does not have any configuration
Use this authenticator to accept sessions where the user used an OTP over SMS using the standard Salesforce SMS service
It could be either as a first factor (passwordless login) or as a second factor (identity verification)
This authenticator does not have any configuration
Use this authenticator to accept sessions where the user used an OTP over Email using the standard Salesforce email service
It could be either as a first factor (passwordless login) or as a second factor (identity verification)
This authenticator does not have any configuration
Use this authenticator to accept sessions where the user used an OTP generated by an application like Google Authenticator or Salesforce Authenticator
This authenticator does not have any configuration
Use this authenticator to accept sessions where the user used a push notification through the Salesforce Authenticator app
This authenticator does not have any configuration
Use this authenticator to accept sessions where the user authenticated through a third party provider (Auth. Provider or SAML Provider)
Once you create the authenticator, you'll need to provide the Auth. Provider ID in the configuration
Use this authenticator to accept sessions where the user authenticated to a connected app and uses an access_token
with frontdoor.jsp
Once you create the authenticator, you'll need to provide the connected app name in the configuration